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Abstract — Physical  layer  authentication  techniques  exploit 
signal  characteristics  to  uniquely  identify  radios.  We  describe 
how  multicarrier  systems  may  use  such  techniques  to  stealthily 
authenticate  while  maintaining  high  levels  of  security  and 
robustness.  We  show  that  with  channel  state  information  (CSI) 
at  the  transmitter  and  receiver,  multicarrier  authentication  sys¬ 
tems  can  further  improve  performance  by  carefully  allocating 
the  authentication  power  each  carrier. 


I.  Introduction 

Physical  layer  authentication  systems  have  been  shown  to 
be  stealthy,  robust,  and  secure  [1]  in  single  carrier  systems. 
In  this  paper  we  consider  extensions  to  multicarrier  systems 
to  improve  these  properties  [2].  In  particular,  we  show 
that  with  channel  state  information  at  the  transmitter  and 
receiver,  multicarrier  authentication  systems  can  further  im¬ 
prove  performance  by  carefully  allocating  the  authentication 
power  over  each  carrier. 

Multicarrier  systems  are  increasingly  prevalent  for  wide¬ 
band  wireless  communications.  We  are  motivated  by  the 
single-carrier  authentication  results  to  consider  how  the  use 
of  multiple  carriers  can  improve  the  stealth,  robustness,  and 
security  of  an  authentication  system. 


II.  System  Framework 

In  this  paper  we  consider  single-antenna  transceivers.  The 
sender  (Alice)  has  blocks  of  symbols  that  she  wishes  to 
transmit  to  the  receiver  (Bob).  The  adversary  (Eve)  is  able 
to  a)  observe  what  Alice  is  transmitting  and  b)  transmit 
arbitrary  messages  to  Bob. 

Alice  transmits  messages  to  Bob  in  plain  view:  Eve  can 
also  recover  the  messages.  In  addition,  Alice  superimposes 
tags  with  messages  for  authentication.  Bob  authenticates 
Alice  only  when  he  detects  the  correct  tags  in  the  received 
signal.  In  the  next  section  we  describe  how  the  messages 
and  tags  are  created  in  a  multi-carrier  setting. 


A  note  on  notation:  Bold  face  indicates  matrices  (e.g.  A). 
Upper  case  indicates  signals  in  the  frequency  domain  (e.g. 
H).  Lower  case  indicates  in  the  time  domain  (e.g.  h). 

A.  Signal  Model 

Suppose  that  Alice  and  Bob  communicate  using  multiple 
carriers.  In  general,  some  carriers  will  be  nulled  out  for 
spectral  shaping  purposes,  but  this  does  not  have  a  signifi¬ 
cant  impact  on  the  authentication  framework.  Therefore  we 
ignore  the  null  carriers  and  assume  that  there  are  N  >  1 
message  carriers. 

The  signals  are  transmitted  in  frames  represented  by  size 
N  x  N*  matrices  where  N*  is  the  frame  length.  We  assume 
the  signals  are  i.i.d.  and  do  not  use  time  indices.  Denote  the 
transmitted  signal  by  the  matrix  X  with  complex  entries 
{X(m,n)}  that  have  variance  <r2.  We  constrain  the  energy 
as  given  by  its  Frobenius  norm 

|X|2  =  Trace  (XHX)  (1) 

U|X|2  =  NNfa2x  (2) 

First  we  consider  untagged  signals  which  are  message- 

only  (no  tags).  The  transmitted  signal  is 

X  =  pS  (3) 

where  p  is  a  N  x  N  diagonal  scaling  matrix  and  S  is  a 

N  x  N?  message  matrix  satisfying 


E[S(m,  n )] 

=  0 

(4) 

E[\S(m,n)\2] 

=  o* 

(5) 

5 Zl(S(m,n )) 

=  NNf 

(6) 

m,n 


where  /(•)  is  the  indicator  function.  That  is,  the  message 
symbols  have  zero  mean  and  variance  a2,  and  they  occupy 
each  of  the  JVM  symbol  positions  in  the  frame.  The  term 
p  is  used  to  allocate  power  among  the  carriers  such  that 
equations  (2)  and  (3)  are  satisfied. 
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[3  Null  symbol 

□  Message  symbol  only 

□  Message  and  Tag  symbol 


Fig.  1.  Example  tag  placements  with  N  =  4.  N?  =  8  and  tag  spread 
N t  =  2.  a)  tag  on  specific  carriers  only,  b)  general  tag  placement. 


The  tagged  signals  are  formed  by  superimposing  the 
authentication  tag  T  with  the  message  S: 

X  =  psS  +  p*T  (7) 

where  ps,p*  are  scaling  matrices  and  T  satisfies 
E[T(m,ri)\  =  0 
E[\T(m,n)\2}  =  j  ^ 

J^I(T(m,n))  =  N*Nf 

m,n 

Note  that  the  tag  symbols  occupy  TV*  TV  4  out  of  a  possible 
NN?  symbol  positions  with  0  <  TV*  <  TV.  When  present, 
each  tag  symbol  has  zero  mean  and  variance  er2.  In  general 
AT  is  not  restricted  to  be  a  natural  number,  but  doing  so 
admits  the  natural  interpretation  of  TV*  as  the  number  of 
carriers  that  are  used  to  signal  the  authentication  (Figure 
lb).  In  general,  TV*  specifies  the  spread  of  the  tag  across 
the  symbols;  a  large  TV*  indicates  that  the  tag  is  very  spread 
out  over  many  symbols  while  a  small  TV*  indicates  that  the 
tag  is  concentrated  over  only  a  few  symbols.  Figure  la  is  an 
example  of  how  the  tags  are  not  confined  to  specific  carriers. 

Denote  the  kth  row  of  a  matrix  by  (•)*..  For  diagonal 
matrices  such  as  p  we  slightly  abuse  the  notation  to  write 
Pk  =  p{k,k).  The  terms  ps,p*  are  chosen  to  normalize  the 
energy  of  tagged  and  untagged  signals: 

E\pSk\2  =  E\pskSk  +  p{Tk\2  (11) 

where 

We  assume  that  the  message  and  tag  are  uncorrelated 

E[  Trace(SffT)]  =  0  (12) 

so  that  the  power  constraint  becomes 

Pk  =  ( Pk )2  +  ^|Sfc|2  ( Pk )2  (13) 


(8) 

T(m,n)  is  absent 
T{m,n )  is  present 

(10) 


Since  TVS,TV*  are  fixed  system  parameters,  specifying  ps 
determines  p*  and  vice  versa.  Note  that  |ps|2  (resp.  |p*|2) 
is  simply  the  overall  percentage  of  power  allocated  to  the 
message  (resp.  tag)  symbols.  The  untagged  signal  is  a  special 
case  of  the  tagged  signal  where  ps  =  p  and  p*  =  0.  We  thus 
use  the  more  general  formulation  of  equation  (7)  to  represent 
both  tagged  and  untagged  signals. 

Alice  wants  to  send  the  message  B  to  Bob.  They  also 
share  a  secret  key  k  £  1C,  where  \JC\  =  K,  that  is  used 
to  generate  the  authentication  tag  from  the  message.  The 
signals  and  tags  are  generated  as  follows 

s  =  fe(  B)  (14) 

T  =  g(B,k)  (15) 

The  encoding  function  /e(-)  encapsulates  any  coding,  modu¬ 
lation,  or  pulse  shaping  that  may  be  used.  The  corresponding 
decoding  function  fd(-)  is  used  at  the  receiver  and  satisfies 

B  =  fd(fe(  B))  (16) 

for  all  possible  inputs  B  of  /e(-).  For  example,  suppose  that 
/e(-)  applies  an  error-correction  code  to  the  raw  data  B. 
The  corresponding  decoder  fd(-)  depends  on  the  choice  of 
code.  Cyclic  codes  such  as  Reed-Solomon  (RS)  and  Bose- 
Chaudhuri-Hocquneghem  (BCH)  can  be  efficiently  decoded 
using  Berlekamp-Massey  algorithm  [3]. 

The  tag  generating  function  g(-)  is  assumed  to  be  one¬ 
way,  i.e.,  it  is  easy1  to  calculate  T  given  B  and  k,  but  hard 
to  find  k  given  T  and  B.  Further,  it  is  collision  resistant  so 
that  it  is  hard  to  find  X  ^  Y  such  that  p(X,  k)  =  g( Y,  k). 


The  transmitted  (time  domain)  signal  x  is  obtained  by 
taking  the  IDFT  of  X 

x  =  IDFT[X]  (17) 

=  FhX  (18) 


where  F  is  the  unitary  TV  x  TV  FFT  matrix  with  entries 

F(m,n)  =  — exp(—  j2nmn/N)  (19) 

v  TV 

and  0  <  m,  n  <  TV  —  1. 


B.  Channel  Model  and  Estimation 


We  assume  a  block  fading  multipath  channel:  h  is  a  length 
L  column  vector  that  is  constant  over  a  frame  of  symbols. 
The  channel  is  modeled  as  a  delay  line  with  equally  spaced 
taps 

L  —  l 

h(m)  =  a(l)S(m  —  l )  (20) 

1=0 


1  The  concept  of  easy  and  hard  calculations  can  be  characterized  by  their 
feasibility.  Hard  calculations  are  infeasible  to  compute  given  constraints  on 
computational  resources,  while  easy  calculations  are  feasible  to  compute 
under  the  same  constraints. 
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where  a(-)  are  i.i.d.  complex  zero-mean  Gaussian  random 
variables  with  variance  N/L.  The  frequency  response  of  the 
channel  is 

H  =  diag(Fh)  (21) 

where  h  is  zero-padded  to  N,  the  length  of  the  FFT.  The 
operator  diag(x)  returns  the  diagonal  matrix  with  (vector)  x 
on  the  main  diagonal.  Note  that  the  frequency  response  per 
carrier  has  unit  expected  variance  (cr^  =  1). 

Suppose  that  Alice  and  Bob  have  channel  state  informa¬ 
tion  (CSI),  i.e.,  prior  to  transmission  Alice  knows  H  and  for 
each  observed  block  Bob  has  H  =  H.  Using  the  channel 
estimate,  the  receiver  estimates  the  message  signal  as 


X(k)  =  H  ^  Y(k) 

\H(k)\ 2 

(22) 

H(k) 

(23) 

The  estimated  message  is 

B  =  fd(±) 

(24) 

where  fd(-)  is  the  decoding  function  corresponding  to  the 

encoder  fe(-)  from  equation  (15). 

C.  Tag  Detection 

With  his  estimate  of  the  data  B,  Bob  uses 

ff(-)  from 

equation  (15)  to  reconstruct  the  estimated  tag: 

T  =  g(B,k) 

(25) 

Bob  uses  matched  filtering  to  detect  it  in  his  observation 
Y.  He  calculates  the  residual  R  by  removing  the  message 
and  then  correlates  it  with  the  estimated  tag  to  obtain  the 

test  statistic  r. 

R  =  Y  —  Hps/e(B) 

(26) 

r  =  5R(tr((/otHT)/fR)) 

(27) 

The  receiver  performs  a  hypothesis  test  with  hypotheses 

Hq  :  T  is  not  present  in  R 

(28) 

Hi  :  T  is  present  in  R 

(29) 

The  decision  of  authenticity  5  is  made  according  to 

x  /  0  r<r° 

S=\l  T>T° 

(30) 

The  threshold  r°  of  this  test  is  determined  for  a  false  alarm 
probability  a  according  to  the  distribution  of  (■ t\Hq ).  As  in 
the  single  carrier  case,  the  authentication  is  low-complexity 
because  the  required  tag  generation  and  correlation  are 
simple  operations. 


1 )  False  Alarm  Probability:  In  order  to  limit  the  false 
alarm  probability  a,  we  calculate  the  threshold  r°  such  that 
P(t  >  T0|i?o)  <  ct.  There  are  two  main  cases  where  a  false 
alarm  can  occur:  when  the  observation  contains  no  tag  at  all 
or  when  the  observation  contains  an  incorrect  tag. 

We  assume  that  the  message  is  recovered  without  error 
because  that  is  when  authentication  is  useful.  That  is,  B  = 
B.  Consider  the  structure  of  the  residual  R 

R  =  HX  +  W-^HS  (31) 

=  H(X  —  psS)  +  W  (32) 

where  <r2,  is  the  noise  variance. 

Case  1:  the  transmitted  signal  does  not  contain  any  tag 
(i.e.,  X  =  pS).  Then 

r\H0  =  3?(tr((piHT)ifR))  (33) 

=  3?  (tr((p4HT )H {{p  -  ps) HS  +  W)))  (34) 

=  3?(tr(pi(p-ps)(HHH)THS))  +  u  (35) 

where  v  is  a  real  Gaussian  variable  with  zero  mean  and 
variance  a2  =  |/ot|2|H|2|f  |2ct2 . 

Consider  the  term  3?(tr(THS)).  It  is  a  sum  of  NtNf 
i.i.d.  variables  and  is  well  approximated  by  a  Gaussian 
distribution  when  A rtN*  is  large  (central  limit  theorem).  The 
mean  is  zero  (12)  and  the  variance  depends  on  the  symbol 
constellations.  For  example,  if  the  message  and  tag  are 
composed  of  QPSK  symbols,  the  variance  of  3?(tr(TffS)) 
is  ofs  =  N*Nf  *  |(1  +  1  +  0  +  0)  =  Thus  the  test 

statistic  t  is  Gaussian  with  zero  mean  and  variance 


al=\W\p-p°m*a2ts  +  al 

(36) 

Case  2:  the  transmitted  signal  contains  a  tag 
from  estimated  tag  (i.e.,  T  ^  T).  Then 

different 

t\H0  =  »(tr((p‘Hf)HR)) 

(37) 

=  3?(tr((piHT)‘f/(ptHT  +  W)) 

(38) 

=  3?(tr((/9t)2(HHH)TifT))  +  u 

(39) 

where  v  is  defined  as  in  case  1. 


Consider  the  term  3?(tr(TifT)).  It  is  a  sum  of  Nf'Nf 
i.i.d.  variables  and  is  well  approximated  by  a  Gaussian 
distribution  when  (V4./Vf  is  large  (central  limit  theorem). 
The  mean  is  zero  (12)  and  the  variance  depends  on  the 
symbol  constellations.  For  example,  if  the  tag  is  composed 
of  QPSK  symbols,  the  variance  of  3?(tr(TffS))  is  o2s  = 
7V4./Vf  *4(1 +  1  +  0  +  0)  =  N’^ ’ .  Thus  the  test  statistic  r 
is  Gaussian  with  zero  mean  and  variance 

a2  =  |pT|H|V2s  +  ^2  (40) 
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Without  priors  that  indicate  which  case  is  applicable,  the 
threshold  is  calculated  based  on  the  worst  case  distribution 
from  either  case  1  or  2.  Since  both  are  zero  mean  Gaussian 
distributions,  the  worst  case  has  the  larger  variance  <r2  from 
equations  (36)  and  (40). 

r°  =  argmin>l>(T/(7r)  >  1  —  a  (41) 

T 

where  $(•)  is  the  standard  Gaussian  cumulative  distribution 
function. 

2)  Detection  Probability:  When  Bob  generates  the  cor¬ 
rect  tag  (T  =  T),  the  test  statistic  is 

t\Hx  =  SR(tr((/9*Hf  )ffR))  (42) 

=  3?(tr((pi)2(H'ffH)TifT))  +  v  (43) 

=  |p4HT|2  +  v  (44) 


The  probability  of  detection  is 

p°(7)  =  i-$(  — 


Fig.  2.  Power  allocation  strategies.  Base  bars  represent  noise  power  on 
the  carriers,  white  bars  represent  message  power,  and  lightly  shaded  bars 
(45)  represent  tag  power.  Power  allocation  is  80%  message  and  20%  tag  ( Ps  = 

0.8,  P*  =  0.2). 


III.  Power  Allocation  Strategies 

Since  that  Alice  and  Bob  have  channel  state  information, 
the  Alice  can  vary  the  power  loading  across  carriers  to  im¬ 
prove  the  rate  of  the  message  or  tag.  It  is  well  known  that  the 
water-filling  power  allocation  maximizes  the  message  rate 
for  parallel  Gaussian  channels  [4],  When  no  authentication 
tag  is  transmitted,  the  optimal  power  allocation  is  given  by 

Pk  =  {v-Nk)+  (46) 

i  =  p  =  x>-jvfc)+  (47) 

k 

where  Pk  =  p{k,k)2,  P  =  \p\2  and  Nk  =  cr2 /|P(/c,  fc)|2. 
We  assume  that  p  is  given  and  that  the  allocations  ps ,  p1 
satisfy  equation  (13),  i.e.,  the  total  power  per  carrier  for 
tagged  and  untagged  signals  is  equal.  We  require  this  for 
stealth  purposes:  if  the  power  spectrum  of  the  signal  is 
different  it  is  easy  for  the  adversary  to  detect  the  anomaly. 

For  brevity  in  the  sequel,  we  denote  the  per-carrier  powers 
by  P£  =  ps(k,k)2,Pj:  =  pt(k,k )2  and  the  total  power 
constraints  by  Ps  =  | ps|2,P4  =  | p* | 2 . 

In  the  authentication  system,  we  transmit  message  and 
tags  simultaneously,  so  the  question  becomes  how  to  best 
allocate  the  power  between  message  and  tag  on  a  per-carrier 
basis  given  Ps  and  P*  (the  percentage  of  power  used  for 
the  message  and  tag). 

A.  Strategies 


consider  four  power  allocation  strategies  that  are  easy  to 
implement  (Figure  2).  Their  relative  merits  are  discussed  in 
the  next  section. 

By  design,  each  of  the  power  allocation  strategies  yields 
the  same  signal  power  per  carrier  as  the  untagged  signal. 
This  is  done  for  stealth  purposes:  an  abnormal  power  spec¬ 
trum  can  be  easily  detected  and  flagged  as  anomalous  by 
adversaries. 

1 )  Waterfill  Tag,  then  Message:  First,  allocate  the  tag 
powers  P{,  by  water- filling  with  the  power  budget  P4. 

Pk  =  {vt-Nk)+  (48) 

pt  =  (49> 

fc 

Then,  treating  the  tag  power  as  noise,  allocate  the  message 
powers  P^  by  water-filling  with  the  power  budget  Ps. 

Pk  =  {vs-Nk-Pl)+  (50) 

ps  =  $><  -  ^  -  pti+  <51) 

k 

This  strategy  is  shown  in  Figure  2a.  In  this  case,  the  message 
always  occupies  at  least  as  many  carriers  as  the  tag. 

2 )  Evenly  allocate:  First  we  determine  the  signal  powers 
Pfc  that  will  used  on  each  carrier  using  the  total  power  budget 
P  by  using  equations  (46)  and  (47).  Then,  using  the  message 
and  tag  power  allocations  (Ps,  P*,  respectively)  we  calculate 
the  message  and  tag  powers  per  carrier 

PI  =  PsPk 

Pfc  =  PlPk 


The  water-filling  allocation  given  above  maximizes  the 
message  rate  of  the  system  when  no  tag  is  transmitted.  We 
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(52) 

(53) 


This  strategy  is  shown  in  Figure  2b.  The  proportion  of 
message  to  tag  power  is  identical  for  each  carrier  with  non¬ 
zero  signal  power.  In  this  case,  the  message  always  occupies 
the  same  carriers  as  the  tag. 

3)  Wciterfill  Message,  then  Tag:  First,  allocate  the  mes¬ 
sage  powers  Pj!  with  the  power  budget  Ps . 

P£  =  ( Vs~Nk)+  (54) 

pS  =  (55) 

k 

Then,  treating  the  message  power  as  noise,  allocate  the  tag 
powers  Pi  with  the  power  budget  Pf. 

Pi  =  ( vt-Nk-Psk)+  (56) 

pt  =  Y,^~Nk~Pk)+  (57) 

k 

This  strategy  is  shown  in  Figure  2c.  In  this  case,  the  tag 
always  occupies  at  least  as  many  carriers  as  the  message. 

4)  Maximization  of  Message  Rate:  Consider  the  message 
capacity  of  the  kth  carrier.  With  the  message  and  tag 
allocations  I  f.  and  Pf  it  is 

cH‘«s(1  +  i^T7»)  (58) 


objective  function  is 

j(p‘)  = 

k 

+A 

k 

+y 

k 

+  ~  (Nk  +  Pl))  (64) 

k 


Since  the  cost  function  is  concave  and  each  constraint  is 
linear,  the  KKT  conditions  are  necessary  and  sufficient  to 
solve  the  problem.  The  KKT  conditions  are 


dJ{  P‘) 
dpl 

=  0  ,VJfc 

(65) 

A  {P'-Y^Pb 

k 

=  0,  A  >  0 

(66) 

Pk 

=  o  >  0  ,Vfc 

(67) 

Rk  (v  —  (Nk  +  Pf ) 

=  0,/r+>0,Vfc 

(68) 

Setting  the  derivative  to  zero  (65),  we  have 


1  1 
2  Nk  + P* 


+  H  ~  Tk  -  A 


(69) 


Note  that  the  tag  acts  as  additional  noise  to  the  message. 
With  the  water-filling  allocation  (46),  we  may  simplify  this 
equation  to 

Csk  =  {  5 l0g  Pfc"  >  °  (59) 

y  0  otherwise 

Suppose  we  wish  to  allocate  power  across  carriers  such 
that  the  message  rate  is  maximized.  From  (59)  is  clear  that 
carriers  with  zero  message  power  have  no  contribution  to 
the  capacity.  Thus  we  remove  the  carriers  with  Pk  =  0  from 
consideration,  and  for  brevity  write  to  mean  X^fc|ps>o- 


Case  1 :  Pi  =  0.  Then  ^>0,^=0 


1  1 
2  Nk 


+  Tk 


(70) 


Case  2:  0  <  Pi  <  v  —  Nk.  Then  fik 


2  Nk  +  Pi 


0,^=0 

(71) 


Case  3:  Pk  =  v  —  Nk.  Then  gtk  =  0,  nf  >  0 


(72) 


The  constrained  optimization  problem  is 

max  E  Cl  (60) 

k 

with  the  constraints 


E^ 

k 

=  p*  =  i- iip'ii2 

(61) 

n 

>  0,  Vfc 

(62) 

pi 

<  Pfc,Vfc 

(63) 

We  use  the  Lagrange  method  to  solve  the  problem.  The 


Ambiguities  remain  since  there  are  multiple  power  alloca¬ 
tions  that  will  satisfy  the  above  equations.  To  proceed  further 
we  use  the  following  lemma.  This  lemma  indicates  that  to 
maximize  the  total  capacity  of  two  independent  channels, 
it  is  better  to  add  any  interference  in  the  noisier  of  two 
channels. 


Lemma  1: 


For  A  >  0, 


5 


TABLE  I 

Simulation  parameters  for  the  multi-carrier,  perfect  CSI 
case 


Channel  Model 

Rayleigh  block  fading 

Noise  Model 

AWGN 

#  Carriers 

32  (4  taps) 

Channel  State  Information? 

Yes 

Modulation 

BPSK:  SNR  <  7dB 
4-QAM:  SNR  >  7  dB 
16-QAM:  SNR  >  12  dB 
64-QAM:  SNR  >  17  dB 

Channel  Estimate  Method 

Known 

#  Pilot  Symbols 

1  OFDM  symbol  per  frame 

Frame  Length 

4  OFDM  symbols 

False  Alarm  Probability 

10“ ' 

#  Monte  Carlo  Samples 

2 13 

if  and  only  if  N±  >  N2. 

Together  with  the  KKT  conditions,  it  is  clear  that  the 
optimal  strategy  places  the  tag  power  in  the  carriers  with 
the  highest  noise  levels.  The  sum  power  of  the  tags  are 
distributed  in  cases  2  and  3.  With  the  lemma,  only  a  single 
carrier  can  satisfy  case  2.  The  other  carriers  are  either 
dedicated  to  message  or  tag.  It  is  easy  to  check  that  the 
following  algorithm  yields  an  optimal  solution  (it  may  not 
be  unique): 

1)  Define  (descending)  order  statistics  such 

that  N(tl)  >  iV(t2)  >  •  •  •  >  N(tK) 

2)  Initialize  k  =  arg[min;(z/  —  iV(ti))  >  0], 

3)  While  k  <  K 

•  PL>  =  mi“  ((T  -  pk>) +  ■ "  -  "«•>) 

.  k  =  k+1 

This  strategy  is  shown  in  Figure  2d.  The  algorithm 
greedily  places  the  tag  power  in  the  carriers  with  the  highest 
noise  until  there  is  not  enough  power  to  entirely  occupy  any 
of  the  remaining  carriers.  At  that  point,  the  remaining  tag 
power  is  placed  in  the  next  noisiest  carrier.  Note  that  in  this 
strategy,  at  most  one  carrier  is  used  to  signal  both  message 
and  tag. 

IV.  Metric  Evaluation 

We  perform  a  Monte  Carlo  simulation  with  the  parameters 
in  Table  I. 

A.  Stealth 

The  stealth  of  the  authentication  system  can  be  measured 
by  its  message  throughput  and  by  its  BER.  We  consider  each 
in  turn. 


Message  Throughput  for  Various  Power  Allocations 
SNR=9dB,  32  Carriers 


Message  Power 

Fig.  3.  Throughput  for  various  strategies.  Frame  length  =  32  symbols. 
Average  SNR  =  9  dB. 


Throughput 

The  message  throughput  for  various  policies  is  shown 
in  Figure  3.  The  throughput  using  strategy  4  (the  optimal 
message  allocation)  is  consistently  high  when  the  message 
power  is  high  ( Ps  close  to  P  =  1).  The  other  strategies  are 
more  noticeably  affected  by  the  decrease  in  message  power. 
However,  the  throughputs  are  not  affected  in  the  same  way. 

Strategies  2  and  3  offer  reasonably  high  throughputs  when 
the  message  power  is  high.  There  is  little  difference  between 
the  two,  though  Strategy  2  is  marginally  better. 

Finally,  strategy  1  has  the  lowest  throughput  of  the  four 
power  allocation  strategies.  By  signaling  the  tag  over  the 
highest  SNR  carriers,  the  effective  message  is  lowered,  thus 
having  a  substantial  impact  on  throughput  when  Ps  is  not 
very  close  to  P  =  1. 

Message  BER 

When  the  authentication  tag  is  present,  power  is  necessar¬ 
ily  allocated  away  from  the  message,  and  hence  the  message 
BER  increases.  The  impact  of  the  authentication  tag  varies 
depending  on  the  power  allocation  strategy. 

Figure  4  shows  the  increase  in  BER  for  various  strategies. 
The  BER  is  the  least  affected  when  the  message  power  is 
near  1.  Of  the  strategies,  the  optimal  message  allocation 
has  the  best  stealth:  the  BER  is  the  least  impacted  for  all 
message  powers. 
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Effect  of  Authentication  on  BER  for  Various  Power  Allocations 


Message  Power 

Fig.  4.  Stealth  for  various  strategies.  Frame  length  =  32  symbols.  Average 
SNR  =  9  dB. 


Authentication  Performance  for  Various  Power  Allocations 
SNR  =  9dB,  32  Carriers,  Frame  Length  128,  a  =  0.01 


Fig.  5.  Robustness  for  various  strategies.  Frame  length  =  32  symbols. 
Average  SNR  =  9  dB.  False  alarm  probability  a  =  0.01. 


B.  Robustness 

The  robustness  of  the  authentication  system  is  given  by 
its  probability  of  authentication  for  a  given  false  alarm 
probability.  We  compare  the  effect  of  frame  lengths  as  well 
as  the  effect  of  various  power  allocation  strategies. 

Figure  5  shows  that  the  choice  of  policy  can  greatly 
impact  the  robustness  of  the  authentication  system.  The 
best  performing  strategy  is  to  allocate  water-fill  the  tag 
first  before  water- filling  the  message.  Strategies  1-3  have 
approximately  equal  performance,  but  strategy  4  performs 
much  worse. 

Since  strategy  4  places  the  tag  at  the  lowest  SNR  carriers, 
the  tag  detection  does  not  receive  much  benefit  from  any 
frequency  diversity.  The  tags  are  placed  in  the  highest 
noise  regions  by  design  in  order  to  maximize  the  message 
throughput,  and  as  a  result  the  authentication  performance 
suffers. 

C.  Security 

The  stealth  of  the  authentication  system  is  given  by  the  tag 
equivocation  of  the  unaware  or  adversarial  receiver.  When 
the  tag  is  observed  through  a  noisy  channel,  it  leads  to 
positive  key  equivocation.  Suppose  that  the  authentication 
tag  is  composed  of  M  bits.  For  example,  with  Nt  =  32  and 
N*  =  4  there  are  128  symbols.  With  binary  signaling  there 
are  M  =  256  bits. 

The  equivocation  of  the  authentication  tag  depends  on 
the  bit  error  rate  that  it  is  observed  with.  Suppose  that  the 
authentication  tag  T  is  composed  of  M  bits  and  is  observed 
with  i.i.d.  bit  errors  with  probability  p t.  We  can  calculate  the 


tag  equivocation  iT(T[p*)  by  iterating  through  the  number 
of  bit  errors  the  tags  can  contain  (between  0  and  M).  The 
probability  of  observing  n  errors  in  a  length  M  tag  with  bit 
error  probability  p*  is 

Pr(p\  n,  M)  =  (pT(l  -  pt)M~n  (73) 

Since  tags  with  the  same  number  of  i.i.d.  bit  errors  have 
the  same  probability  of  occurring  (and  there  are  length 
M  tags  with  n  errors),  the  tag  equivocation  is 

h<tIp')  =  <74) 

=  f.(T)Pr{p,'n'M)l^Pr(p>]nM 

where  Pr(-,  ■,  •)  is  defined  above  in  equation  (73). 

We  compare  the  equivocation  for  the  policies  as  shown  in 
Figure  6.  Clearly  the  power  allocation  that  maximizes  mes¬ 
sage  capacity  also  maximizes  the  tag  equivocation  among 
the  policies.  However,  from  the  previous  section  we  see 
that  this  allocation  also  performs  the  worst  in  terms  of  au¬ 
thentication  robustness.  The  remaining  two  policies  result  in 
very  similar  equivocation,  demonstrating  that  proportionally 
allocating  power  between  message  and  authentication  is  a 
reasonable  strategy  with  little  tradeoff.  As  before,  higher 
SNR  situations  reduce  the  tag  equivocation. 

V.  Conclusion 

We  have  extended  the  physical  layer  authentication  frame¬ 
work  [1]  to  multicarrier  systems  and  have  shown  how 
to  stealthily  authenticate  while  maintaining  high  levels  of 
security  and  robustness.  When  channel  state  information  is 
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Equivocation  for  Various  Power  Allocations 
SNR=9dB,  32  Carriers,  Frame  Length  128 
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+  Waterfill  message,  then  tag 
•  Optimal  message  allocation 
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Fig.  6.  Tag  equivocation  for  various  strategies.  Frame  length  =  32  symbols. 
Average  SNR  =  9  dB.  False  alarm  probability  a  =  0.01. 


known  to  the  transmitter,  we  demonstrated  that  the  allocation 
of  the  tag  power  plays  a  very  important  role  in  terms  of 
maintaining  stealth  and  robustness.  While  it  is  possible  to 
place  tag  energy  so  maximize  the  message  throughput,  it 
is  unusable  for  authentication.  Allocating  power  between 
message  and  tag  at  a  constant  ratio  per  carrier  is  shown 
to  have  good  overall  performance  while  requiring  little 
additional  computation. 
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